From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23716DDDC for ; Thu, 9 Jan 2025 11:26:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736422021; cv=none; b=EdeRl6QZTKw4d39sVf/908/SQNy2SK8rR4c2YwRLSAgm/AhVrs8+hQeYzJIf0E6PJDO7LX+4EblIRVelKB5XzEbpuIpg2YbTwqdmp2tM31bv3reBk969rZfKgrbM7Seb9HhzbUEqucvlqLd6TN8P8gblX5i9XzydJ37wcYO1eME= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736422021; c=relaxed/simple; bh=C++Okp7omZSuVuBCd3hOjUXK48/4NsHrFnGuRgH6Z5Q=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=TsK6+miOPhCg4bAMnzsZSnhN+flQ229QmthQHDpLk/Bp3+5+pWn0yTil8FNr11zPB+6lYDDj+eTgqlKLtHpqKaVpt1QDSRoYbTcXudXtCrex5i/AmIKYhWZMI7/giM5SNrPpgmgH6mUeOnEd/UZb3ZEHzfg5RHAbY2SegsEIRUk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=npRYOGIk; arc=none smtp.client-ip=209.85.221.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="npRYOGIk" Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-3862ca8e0bbso603792f8f.0 for ; Thu, 09 Jan 2025 03:26:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736422018; x=1737026818; darn=vger.kernel.org; h=content-disposition:mime-version:reply-to:message-id:subject:cc:to :from:date:from:to:cc:subject:date:message-id:reply-to; bh=9eAda4W9uA5cE++I7CCfl9HPy3qcN5K2hzuEOSwc3VY=; b=npRYOGIkGSbtTg73FAcd2F2fhAKzYI5YW3PrXH2PmD5/JyjRALJ1jX3FN/kwttz0yN bonw8krfgzH+zvrrXzTahvAqKIhUiK5Rm5vciD0JWEVMRXKRKqpmM8yBFM3xJraaF/hy +TJP2MLMKU+9RfY6ggGsc3thR97k2eIa/m/ex6+uPWBu8IUVgOFxhZ+bldGli/3xRFpO BIH5kgnjNwaU4S4dVpeS58+bO2lCjYo2eA+vnkg0UIY2jEdBo4qHRncG1AHdIZP3QukB bFHQS6sWcJyPZ2WrOmBjdXZoTIblTYuDfkFU/prUGYpwHrZXjHBfSm1kQGX7SDEkOqYe s91A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736422018; x=1737026818; h=content-disposition:mime-version:reply-to:message-id:subject:cc:to :from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9eAda4W9uA5cE++I7CCfl9HPy3qcN5K2hzuEOSwc3VY=; b=QcMcHnG8gbE3yUfs3i8QNG+X2v4Q0A//o5P5OgvzxLAFBNTsJuvwf1Fu/ExYjNV7qN QmbRME/I4SLR0DIm3vq+ykCt+nMFcxq7D2COId4mcpQXSGJgTBIjdOjA0SXyUyEle408 87GSyD7zTTOxM+1eMWtKzhXdE4YyvX4sGXO+L18Cgc0/liDKoCBVLnyJFNV45hSNxxqW 2JpFCCTFHOve/0Rvq31Nv1ix/c/VsWYADinFIzcp7CighjfO4pf4nSgEhccUNSeRoPrx cPAvyIV0T591rNOo+JJuAqMYmsf9ovoja1m/XtH/TfpZaK6YqHxHyHIbCgSQAu4QMlRF 2Rmw== X-Forwarded-Encrypted: i=1; AJvYcCWkY/A9+BgRoRsPfsXfZc5CxNEdK600y4lwG1cXNRMfWVymg0fJSJb0vizhboD2vJK2pFQuVwEdrigUruE=@vger.kernel.org X-Gm-Message-State: AOJu0Ywx6ym+6c4zEQU7XItCl8DFnuP4ThRsGGt6hwUho+lhEt6/N8/u pS9/BjuWwrhsZcyJBd7P1tsr3yasA4YVxKqb+7oc4FoyCm27nZeY X-Gm-Gg: ASbGncs+a3CCwYyM3j+In87dWulDI0SWwTd2K3etiC9/BicajBePSmAKkh4sA8gs0iX u6OE8sovGmg20GqOhmR3qRO8GhQ+dM0aHTb24iqSWpJ9+dPIWR90fSpXXas0WyfJ8drDLeUlai5 XxLouQTJyU7MtmDkhV+5E1zqzXxdG2UkCyLr4pbgyu5CiOur499d9JWkfS5oH51KwujblnaPn+0 BCbFtDJVTobNzGe9tk9/bPmf8aa2l/Ft8peJn6bOL5zjMt23P+0o7gyhMau X-Google-Smtp-Source: AGHT+IEIipjxaw0cGgvTADCEmk3PrGI5Nblz7EQ892CI6E1dqlG1uD6HCFQ8XMLZ+VvwHoEXEFgl7g== X-Received: by 2002:a5d:5f82:0:b0:385:fa26:f0ac with SMTP id ffacd0b85a97d-38a872fc03fmr5762638f8f.7.1736422018064; Thu, 09 Jan 2025 03:26:58 -0800 (PST) Received: from qasdev.system ([2a02:c7c:6696:8300:d3fc:38ce:272d:9a1e]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38a8e4c1cf2sm1556980f8f.99.2025.01.09.03.26.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Jan 2025 03:26:57 -0800 (PST) Date: Thu, 9 Jan 2025 11:26:47 +0000 From: qasdev To: Chao Yu , Jaegeuk Kim Cc: linux-f2fs-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH] f2fs: Fix slab-out-of-bounds Read KASAN bug in f2fs_getxattr() Message-ID: Reply-To: 08098e46-0468-4fec-b2fb-9ea7414eaea0@kernel.org Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jan 09, 2025 at 05:02:02PM +0800, Chao Yu wrote: > On 1/9/25 00:23, qasdev wrote: > > On Wed, Jan 08, 2025 at 07:44:03PM +0800, Chao Yu wrote: > > > Hi Qasim, > > > > > > On 2025/1/8 07:03, qasdev wrote: > > > > In f2fs_getxattr(), the function lookup_all_xattrs() allocates a 12-byte > > > > (base_size) buffer for an inline extended attribute. However, when > > > > __find_inline_xattr() calls __find_xattr(), it uses the macro > > > > "list_for_each_xattr(entry, addr)", which starts by calling > > > > XATTR_FIRST_ENTRY(addr). This skips a 24-byte struct f2fs_xattr_header > > > > at the beginning of the buffer, causing an immediate out-of-bounds read > > > > in a 12-byte allocation. The subsequent !IS_XATTR_LAST_ENTRY(entry) > > > > check then dereferences memory outside the allocated region, triggering > > > > the slab-out-of bounds read. > > > > > > > > This patch prevents the out-of-bounds read by adding a check to bail > > > > out early if inline_size is too small and does not account for the > > > > header plus the 4-byte value that IS_XATTR_LAST_ENTRY reads. > > > > > > Thank you very much for analyzing this issue, the root cause you figured out > > > makes sense to me. > > > > > > Can you please check the patch in below link? It seems it can fix this issue > > > as well? IIUC. > > > > > > https://lore.kernel.org/linux-f2fs-devel/20241216134600.8308-1-chao@kernel.org/ > > > > > > Thanks, > > > > Hi Chao, > > > > I tested the patch you linked on my machine and with syzbot, and both tests succeeded. The patch you linked works very well. > > Hi Qasdev, > > Thanks for the test! > > > Here is the link to the results of the testing of both patches: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf > > > > Would it be possible to include me in the Tested-by header and any other contribution acknowledgments you feel appropriate? > > > Thanks! > > > > Best regards, > > Qasim > > > > > > > > > > > > > Reported-by: syzbot > > > > Closes: https://syzkaller.appspot.com/bug?extid=f5e74075e096e757bdbf > > > > Tested-by: syzbot > > > > Tested-by: Qasim Ijaz > > IMO, it will be better to quoted your comment description and all above tags > into the patch, what do you think? > > Thanks, Hi Chao, Thank you for the suggestion. I agree that quoting my comment description and tags into the patch would provide helpful context. Please feel free to include them as appropriate. Let me know if you need anything else from me. Best regards, Qasim > > > > > Fixes: 388a2a0640e1 ("f2fs: remove redundant sanity check in sanity_check_inode()") > > > > Signed-off-by: Qasim Ijaz > > > > --- > > > > fs/f2fs/xattr.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c > > > > index 3f3874943679..cf82646bca0e 100644 > > > > --- a/fs/f2fs/xattr.c > > > > +++ b/fs/f2fs/xattr.c > > > > @@ -329,6 +329,9 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage, > > > > if (!xnid && !inline_size) > > > > return -ENODATA; > > > > + if (inline_size < sizeof(struct f2fs_xattr_header) + sizeof(__u32)) > > > > + return -ENODATA; > > > > + > > > > *base_size = XATTR_SIZE(inode) + XATTR_PADDING_SIZE; > > > > txattr_addr = xattr_alloc(F2FS_I_SB(inode), *base_size, is_inline); > > > > if (!txattr_addr) > > > >